Hi list,
I've got an issue at the moment, which isn't really a big problem, but an
untidy annoyance really, and I'd just like to understand what the best
practice might be when dealing with the issue.
As a really quick summary, the issue is that Puppet is starting up the
mysqld service for the first time as unconfined_u, and then when MySQL goes
and creates a load of its initial files also as unconfined_u, Puppet goes
and resets them all to system_u which is what they should be when checking
matchpathcon:
The thing is, because the service is started as unconfined_u, any
databases/tables that are created are going to inherit that, and puppet is
going to be resetting them.
For some more detail, I've written something which will set the mysqld_db_t
selinux file_context on my data directories which are in /home, and I have a
notify which will go and check and re-set the selinux file_context if there
are any changes in these directories. They're set to recurse, so to stop
Puppet changing things from unconfined_u to system_u on a regular basis, and
sending refresh notices to my Exec resources, I've set
selinux_ignore_defaults to true in my File resources.
This strikes me as a bit of a dirty way of doing things, and I was wondering
if anyone had any better ideas of how to manage this.
Please find below a sample of the relevant code - because I'm sure my
verbose description is probably leaving some people scratching their heads!
:) I was going to make the file_context stuff much more re-usable, but want
to get my head around the best practices first - as I'm not that experiened
with all of this stuff to be honest!
Many thanks. Tom.
# List of directories we're going to use with MySQL
$mysqldirs = [ "/home/data", "/home/logs", "/home/mysqltmp", ]
# Set SELinux contexts
define add_selinux_context ($context = "mysqld_db_t") {
file { $name:
ensure => "directory",
owner => "mysql",
group => "mysql",
seltype => "mysqld_db_t",
selinux_ignore_defaults => "true",
recurse => "true",
require => Package["mysql-server"],
notify => [ Exec["add_file_context_${context}_${name}"],
Exec["set_file_context_${context}_${name}"], ],
}
# Set the default file_context regex for the path
exec { "add_file_context_${context}_${name}":
command => "semanage fcontext -a -t ${context} \"${name}(/.*)?\"",
unless => "semanage fcontext -l | grep '^${name}(/.*)?:${context}:'",
require => [ Package["policycoreutils-python"], File[$name], ],
refreshonly => "true",
}
# Reset the file_context using restorecon
exec { "set_file_context_${context}_${name}":
command => "restorecon -R ${name}",
unless => "ls -d --scontext ${name} | awk -F: '{print \$3}' | grep
\"${context}\"",
require => File["$name"],
refreshonly => "true",
}
}
add_selinux_context { $mysqldirs:
context => "mysqld_db_t",
}
# Keep it running
service { "mysqld":
ensure => "running",
hasstatus => true,
require => [ Package["mysql-server"], File[$mysqldirs], ]
}
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
